search

laurilehmijoki / s3_website

Manage an S3 website: sync, deliver via CloudFront, benefit from advanced S3 website features.
Other
2.25k stars 187 forks source link

Add support STS credentials #217

Open petemounce opened 8 years ago

petemounce commented 8 years ago

Where I am, we grant read permissions to users for general use, and then allow them to sts:AssumeRole to elevate to granular write permissions that are attached to IAM::Role resources.

The AWS CLI supports this via the ~/.aws/credentials file like so

[regular_user]
aws_access_key_id = <blah>
aws_secret_access_key = <blah>

[author_role]
role_arn = arn:aws:iam::<account>:role/<rest of ARN>
source_profile = regular_user

The SDKs also have support for this sort of thing - ruby & java too.

Please could s3_website grow this capability? At the moment if I try temporarily granted session credentials from assuming my role, I get:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>InvalidAccessKeyId</Code>
  <Message>The AWS Access Key Id you provided does not exist in our records.</Message>
  <AWSAccessKeyId>[temp access key]</AWSAccessKeyId>
  <RequestId>[some request id]</RequestId>
  <HostId>[some host id]</HostId>
</Error>
(GenericError)

I'm doing that by, in s3_website.yml:

<%
require 'rubygems'
require 'aws-sdk'
profile = Aws::SharedCredentials.new profile_name: 'regular_user'
puts 'profile: '
puts profile.credentials.access_key_id
client = Aws::STS::Client.new(
  access_key_id: profile.credentials.access_key_id,
  secret_access_key: profile.credentials.secret_access_key
)
creds = Aws::AssumeRoleCredentials.new role_arn: 'role-arn', role_session_name: 'arbitrary-session-id', client: client
puts 'creds: ' + creds.credentials.access_key_id
%>
s3_id: <%= creds.credentials.access_key_id %>
s3_secret: <%= creds.credentials.secret_access_key %>
# rest of s3_website.yml follows
laurilehmijoki commented 8 years ago

Hi @petemounce, to clarify: does your s3_website.yml snippet work? If it does, what advantages do you see in s3_website having a "built-in" support for IAM Roles (instead of supporting IAM Roles via scripting like yours)?

petemounce commented 8 years ago

@laurilehmijoki sadly, the snippet does not work. That was so that I could use the ruby aws-sdk to read the credentials from my profile's AWS credentials file rather than set up environment variables. I work with around a dozen different accounts, so maintaining environment variables is too dangerous a route towards working in one account when I expect to be in another.

By the way, in the doing of this I've come up with a least-priv set of IAM to create in a managed policy - would you like a PR to your doc about that?

laurilehmijoki commented 8 years ago

If you think your AWS credentials setup benefits other users, please consider adding it to setting-up-aws-credentials.md and submitting a pull request.

laurilehmijoki commented 8 years ago

About the ~/.aws/credentials feature: I think it would be a good idea to grow s3_website to support that, but unfortunately due to my other commitments I don't have time to work on that right now. A pull request is of course appreciated.